30 December 2018

How the U.S. Approach to Cyber Conflict Evolved in 2018—and What Could Come Next

Kate Charlet

2018 was in many ways a watershed year for the United States in cyberspace. Washington revamped its cyber strategy. It loosened authorities for military cyber operators. It responded to large-scale global cyberattacks. And it dealt with chilling intrusions on its critical infrastructure. Looking back, though, what did all these changes mean, and how well did U.S. cyber policy fare?

Let’s start with the good news. In two particular areas—attribution and indictments—the United States has shown clear improvements in responding to inappropriate behavior in cyberspace. Over the past year, the Department of Justice significantly increased the pace of indictments against Chinese, Russian, Iranian and North Korean individuals for state-linked cyber activities. The department announced, for example, only one such indictment in 2014, but at least eight in 2018. Such steps, with some exceptions, are not usually enough to change national policies, and more data and analysis are needed to judge their real impact. In theory, though, and especially over the longer term, indictments and sanctions can make it harder for countries to recruit young talented hackers, who may not want to be restricted from travelling to or dealing financially with the United States and Europe.

Another important shift has been the increase in coordinated international attribution of malicious behavior in cyberspace. In the past, official U.S. statements of attribution for cyberattacks were unusual; the rare public finger-pointing at North Korea for the 2014 hack on Sony Pictures Entertainment was a notable exception. In 2018, however, governments became much more willing to attribute cyberattacks, and to do it together. This demonstrates that attribution is increasingly possible, if often slow. And when a state makes a public attribution, they are more likely to step up with additional measures.

Last February, for example, the United States attributed NotPetya—what Wired magazine has called “the most devastating cyberattack in history”—to the Russian military. But far more notable was that this attribution involved coordinated finger-pointing from six other nations—the United Kingdom, Denmark, Lithuania, Estonia, Canada and Australia—and statements of support by five more—New Zealand, Norway, Latvia, Sweden and Finland. Public naming-and-shaming, of course, has limited direct impacts, especially on a nation like Russia that denies everything and cares little for international norms. But it serves other beneficial purposes: enhancing practical cooperation among nations, communicating clearer rules of the road in cyberspace, and building international legitimacy to impose consequences on the perpetrators.

These steps are positive, and the United States deserves credit for them. In other areas, however, senior U.S. officials have made major shifts that are more difficult to assess. Depending on how such policy changes are implemented—and how they are understood by U.S. competitors in cyberspace—the new policies could prove either beneficial or destabilizing.

In cybersecurity as in much of global affairs, 2018 has offered ample justification for both optimism and gloom.One such shift was a new presidential directive that loosens the rules for offensive cyber operations. Announcing the new national strategy for cyberspace, which was notable less for its contents than simply for being the first of its kind, National Security Adviser John Bolton made some characteristically fiery remarks. “We will respond offensively as well as defensively” to harmful cyber activity, he said, confirming the U.S. has “authorized offensive cyber operations” for approval under the new directive. 

Few details are available about the newly relaxed rules, so it is hard to assess their impact. Defense Department officials have emphasized that the new approach will not create a new wild west or place the military out of control. The hope, instead, is to correct a paralyzed system that failed to gain approval for even the most reasonable and measured actions. But some U.S. scholars, as well as Chinese scholars, are asking whether looser rules could escalate conflict in cyberspace, lead to more tit-for-tat cyberattacks, or incentivize longer-term offensive build-ups. Ultimately, if the new rules allow for proper analysis of the policy implications of cyber operations, a major escalation is unlikely. Nonetheless, the United States should find ways to maintain communications with competitors like China to reduce the risk of misunderstanding and escalation. 

Finally, there are areas in which U.S. cyber policy has not fared so well. The first is in reducing the severe national vulnerability to cyberattacks. Case in point: Despite the U.S. attribution of and response to a major Russian hacking campaign against the American electrical grid last March, threat intelligence researchers are still observing a “concentrated Russian cyber espionage campaign targeting the bulk” of that grid. Granted, Russia would think hard about such a major and sudden cyberattack, since its cyber capabilities are a means of exerting national influence without drawing the U.S. into a conventional conflict, where Moscow is at a significant disadvantage. Protecting critical infrastructure is a complicated prospect, primarily involving private assets over which the government has little control. But the level of intrusions remains unacceptable. More work is needed to communicate, exercise responses to cyber threats, and incentivize, or push, owners and operators to better secure their systems. 

Also languishing is American influence over the development of international cyber norms. The United Nations Group of Governmental Experts, which has developed these norms in the past, failed to make progress in the summer of 2017, after states could not agree on a final report. Last month, the U.N. General Assembly adopted not one, but two separate processes to address cyber norms, which may end up competing against one another. And, whether due to slow bureaucracy, a reticence to be restrained or a suspicion of the process, the United States conspicuously declined to join the French-led Paris Call, a series of normative statements on cybersecurity signed by hundreds of nations, companies and organizations. Establishing norms is tedious but important work, and while there are many reasons for the torpor in this area, the Trump administration’s allergy to anything remotely multilateral has not helped.

In cybersecurity as in much of global affairs, 2018 has offered ample justification for both optimism and gloom, and 2019 portends more of the same. One thing is certain: There will be surprises.

No comments: